2FA not working

[maximushugus]

trafficstars

I have an apple account with 2FA enabled made for this project. I was already using openhaystack on a MacOS VM. I was able to set up the docker containers. But after lanching the docker with docker run -it --restart unless-stopped --name macless-haystack -p 6176:6176 --volume mh_data:/app/endpoint/data --network mh-network christld/macless-haystack and login with my appleID and password, it keeps asking for 2FA. I don't receive SMS when it asks for 2FA so I launched my MacOS VM and on settings I clicked on "verification code", so I get a 6 digit code. But putting this one doesn't do the trick and it keeps asking for 2FA.

I tried connecting to icloud.com, and requesting my 2FA via SMS, and not putting this code in my browser for icloud.com but instead putting when macless-haystack asks but the same problem, it keep asking for 2FA.

Does someone know why ?

[dchristl]

Hello @maximushugus ,

could you please try out the authentication with Biemster's project. This all based on this. If this will work I can dig deeper.

Kind Regards, Danny

[maximushugus]

Ok, so here is what I did :

1. I lauched anisette on docker with docker run -d --restart always --name anisette -p 6969:6969 --volume anisette-v3_data:/home/Alcoholic/.config/anisette-v3/lib/ --network mh-network dadoum/anisette-v3-server. I verified it seems to be working because If I do curl localhost:6969 I get an answer.
2. Then I git clone https://github.com/biemster/FindMy and cd FindMy
3. To make it work I had to install pip install cryptography and pip install pbkdf2 and pip install srp and pip install pycryptodome
4. I run ./request_reports.py

Here is my output :

ubuntu@vm:~/FindMy$ ./request_reports.py Apple ID: [email protected] Password: pyprovision is not installed, querying http://localhost:6969 for an anisette server pyprovision is not installed, querying http://localhost:6969 for an anisette server 2FA required, requesting code pyprovision is not installed, querying http://localhost:6969 for an anisette server Enter 2FA code:

At this point I do not receive SMS nor I have a prompr on my MacOS VM for a verification code as when I try to connect to icloud.com for exemple. I tried to put the 2FA code I obtain by manually clicking on "obtain a verification code" on MacOS VM, but it does'nt work and the prompt above starts again I also tried to go to icloud.com and ask for an SMS 2FA, not using it on icloud.com but instead putting it on the program, but the same result. If I just press enter, leaving the 2FA, the same result.

[dchristl]

Ok, then it seems to be more of an issue with the account rather than with the code from the project. Can you possibly create an additional Apple account (which can also use the same phone number) and try again?

[maximushugus]

I tried but it didn't work. Is it normal that I see nothing in anisette logs when I'm tring to log in ?

docker logs anisette -f app INFO 2024-02-21T12:05:41.773 anisette-v3-server v2.1.0 app INFO 2024-02-21T12:05:41.796 Creating machine... app INFO 2024-02-21T12:05:41.798 Machine creation done! app INFO 2024-02-21T12:05:41.798 Machine requires provisioning... app INFO 2024-02-21T12:05:43.222 Provisioning done! [main(----) INF] Listening for requests on http://0.0.0.0:6969/

[dchristl]

The behavior is strange, and I'm afraid I can't really help further. Otherwise, I would recommend removing everything and starting fresh. You can check if the Anisette server is running correctly by accessing the URL. There, you should see a JSON.

[supaeasy]

[main(----) INF] Listening for requests on http://0.0.0.0:6969/

The IP looks wrong to me. Are you sure you setup mh-network correctly?

[maximushugus]

@supaeasy Anisette seems to be working properly because if I do : curl http://localhost:6969 I get this JSON (modified) :

{"X-Apple-I-Client-Time":"2024-03-04T17:42:21Z","X-Apple-I-MD":"AAAABQAXXXXXXZQJt/q2Pt1YMw7dcyqV/7AAAABA==","X-Apple-I-MD-LU":"5011D56E92AFD6A880XXXXXXXBC697D23C45985E9A1987F50B6D0CC8D7ADB9","X-Apple-I-MD-M":"z6xuBAi6XXXXXXXqJ+f3We0gJUoXb+jrbDQhkP0HtlvAd0qV87nyf+fVdZCm1aTu3/qy+Be7BBgHyS","X-Apple-I-MD-RINFO":"17996176","X-Apple-I-SRL-NO":"0","X-Apple-I-TimeZone":"UTC","X-Apple-Locale":"en_US","X-MMe-Client-Info":"<MacBookPro13,2> <macOS;13.1;22C65> <com.apple.AuthKit/1 (com.apple.dt.Xcode/3594.4.19)>","X-Mme-Device-Id":"AAXXXXXXA-773B-4AFC-866F-948E97F875FA

Also when lanching macless-haystack, if I check the logs of anisette I see :

app INFO 2024-03-04T17:59:33.530 [<<] anisette-v1 request

And a response so the 2 containers are communicating

[maximushugus]

When lauching macless-haystack I see a strange behavior, maybe this is related :

remote: Enumerating objects: 88, done. remote: Counting objects: 100% (88/88), done. remote: Compressing objects: 100% (47/47), done. remote: Total 75 (delta 37), reused 56 (delta 25), pack-reused 0 Unpacking objects: 100% (75/75), 3.62 MiB | 18.26 MiB/s, done. From https://github.com/dchristl/macless-haystack branch main -> FETCH_HEAD 32ab133..e2ad25c main -> origin/main 2024-03-04 17:46:54,267 - INFO - No auth-token found. 2024-03-04 17:46:54,268 - INFO - Trying to register new device. Apple ID: [email protected] Password: 2024-03-04 17:47:20,772 - INFO - 2FA required, requesting code 2024-03-04 17:47:22,892 - INFO - 2FA required, requesting code Enter 2FA code: 326094 2024-03-04 17:48:02,547 - INFO - 2FA successful 2024-03-04 17:48:04,620 - INFO - 2FA required, requesting code Enter 2FA code:

Here is what is strange :

1. As you can see there are 2 lines saying its requesting 2FA. Maybe this is why even if I enter the 2FA, it's still asking for the 2nd 2FA ?
2. Even if I enter a random 2FA I get at least one line saying 2FA successful

[dchristl]

The output is very strange and each line should be there only once. It seems like the server in the container is starting twice. Have you tried resetting everything as I suggested before? Do you have an auth.json file in the data folder (usually /var/lib/docker/volumes/mh_data/_data)? Which operating system are you using as the host? Do you have another computer to try it out there?

[maximushugus]

Yes it's strange, because as you can see each line appears only once until I give my password. Then you can see two lines for 2FA.. I tried resetting everything but it did'nt change anyting. I'm testing this on an aarch64 plateform (my test server is on Oracle Free Tier), maybe this is causing the issue. I will try to find the version of the container, maybe this isn't the latest version for aarch64 compared to x86. But I'm almost certain I tried it on my VPS x86-64bit with the exact same result.

[dchristl]

Maybe the architecture is the issue, although there is no reason for it. I also have my endpoint running on an Oracle Free Tier, but with x86.

Output of uname -a: Linux headless-haystack 5.15.0-1052-oracle #58-Ubuntu SMP Tue Feb 13 19:43:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

It works without problems since weeks. It is really hard to help you here. Have you can tried to change your terminal application for the ssh-session?

[YupengLai4]

Hi, @dchrist. I also encountered the same problem. After submitting 2FA it succeeded, but then kept asking for a new 2FA auth. I'm using ubuntu on x86, it's a home service. Should I open 6969 or 6176 port?

[a-camacho]

Same problem

[coopeeo]

same issue

[dchristl]

Hello @YupengLai4 ,

I'm using ubuntu on x86, it's a home service. Should I open 6969 or 6176 port?

There is no need to open any port. Your output looks like it works in general.

Could you try to register your device with Biemsters version . If this will work, I can go deeper or you can transfer the auth.json to macless-haystack.

[YupengLai4]

Could you try to register your device with Biemsters version . If this will work, I can go deeper or you can transfer the auth.json to macless-haystack.

Thanks for your response! I tried both macless-haystack and the Biemster one but unfortunately the issue persisted :(

[dchristl]

Then I think it is a problem with your account (Apple-ID). Maybe you can create a new one and try again. Some accounts work while others don't, but nobody has really figured out why that is yet.

[trueVinton]

I had the same issue, as @dchristl mentioned the culprit was in the Apple ID account. I didn't get a 2FA SMS because the Apple ID was using an outdated phone number. To fix:

1. Go to icloud.com and log in with your AppleId.
2. click your profile picture > Manage AppleId
3. click Account Security > Enable 2FA and make sure the trusted phone number is correct.

[mrx23dot]

2FA works for me, it sends out sms sudo docker run -it --restart unless-stopped --name macless-haystack -p 6176:6176 --volume mh_data:/app/endpoint/data --network mh-network christld/macless-haystack make sure it works from official apple website first.

[a-camacho]

Hi guys,

Still does not work for me. I'm using in on a Macbook Pro 2019, with Mac OS 14.3.1 Sonoma. Should it work ?

When asking for 2FA, I receive no message or device alert. But I can generate manually a 2FA code from my iCloud settings.

What is weird, is that any code that I enter (correct or incorrect one, like 0000) the system always says "2FA successful" and then start procedure again asking me Apple ID again.

Do you have any clue what I'm doing wrong ? Should I even be able to run it correctly ?

Thanks a lot

[mrx23dot]

What's the tail of your console look like?

I was wondering how to get SMS 2FA after I added an iPhone and apple prefers device alert on website. I might not have access to the iPhone after added.

[fachinformatiker]

I get the messages multiple times too

[dchristl]

I would like to help, but I cannot reproduce the double output issue. I have tried it on x86 (Linux, various derivatives) and on Armv8, and I always receive only one prompt for SMS2FA. Unfortunately, I do not have a Mac (which is also the reason for the project ;) ), so I cannot test it here. Statements like "I have the same problem" do not really help here. I need at least the host OS and which shell is being used, to narrow down the error. An alternative would be to try running the endpoint natively, without Docker (python3 have to be installed).

git clone https://github.com/dchristl/macless-haystack.git
cd macless-haystack/endpoint/
pip install --no-cache-dir -r requirements.txt
python3 mh_endpoint.py

That is the same thing the container is doing.

@a-camacho

Normally it should work, but you can also follow my instructions and try again. Although I don't think the errors are related (Apple's account management is extremely opaque, determining which account works and which doesn't), it might help to narrow down the issue.

[fachinformatiker]

Statements like "I have the same problem" do not really help here. I need at least the host OS and which shell is being used, to narrow down the error. An alternative would be to try running the endpoint natively, without Docker (python3 have to be installed).

Sorry, I was on the go, so I couldn't provide more informations. I'm using Debian 12 on a server with the default bash shell. Running your container on this server outputs the multiple lines of text.

the code for running it local gives me also an error. :(

ModuleNotFoundError: No module named 'Crypto'

[dchristl]

I'm using Debian 12 on a server with the default bash shell. Running your container on this server outputs the multiple lines of text.

Thank you for your answer. I'm using several Debians or Ubuntu Server, because this is my preferred system. I will install a fresh one and retry it. Are you connected to this server by ssh or directly (with a physical keyboard). If with ssh, what shell/client are you using for connecting? Ist this system virtualized (VMWare, VirtualBox)? Is this system up to date (latest updates, docker)?

ModuleNotFoundError: No module named 'Crypto'

This will be normally imnstalled by pip install --no-cache-dir -r requirements.txt. Was there an error by this command? Are there multiple python installations on your system? Alternatively you can try python3 -m pip install --no-cache-dir -r requirements.txt

[dchristl]

I was only able to replicate the problem by entering an incorrect 2FA code or if Apple didn't accept it. I believe the issue is likely related to the account, as usual. I've added some additional logging and better error handling to the dev branch to narrow down the error. For this, it's best to reset everything and start fresh. The 3rd command just needs to be slightly modified (different tag of the container):

docker run -it --restart unless-stopped --name macless-haystack -p 6176:6176 --volume mh_data:/app/endpoint/data --network mh-network christld/macless-haystack:latest-dev

The entire requests and responses to Apple are being outputted. At least this way, we might be able to deduce the actual problem.

[fachinformatiker]

I've tried running this command:

docker run -it --restart unless-stopped --name macless-haystack -p 6176:6176 --volume mh_data:/app/endpoint/data --network mh-network christld/macless-haystack:latest-dev

but still get errors (and yes, I've tried to reset everything) :( Tried it on my RasPi4 now, running DietPi (Debian) and bash as my shell. I'm connecting to it like to my server via the App Termius.

Domain=gsa.apple.com; Path=/; Secure; HttpOnly, site=USA; Domain=apple.com; Path=/; Secure; HttpOnly
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
X-Apple-I-Rscd: 412
vary: accept-encoding
Content-Encoding: gzip
Content-Language: en-US-x-lvariant-USA
Keep-Alive: timeout=30

Traceback (most recent call last):
  File "/app/endpoint/mh_endpoint.py", line 159, in <module>
    apple_cryptography.registerDevice()
  File "/app/endpoint/register/apple_cryptography.py", line 77, in registerDevice
    getAuth(regenerate=True)
  File "/app/endpoint/register/apple_cryptography.py", line 50, in getAuth
    mobileme = icloud_login_mobileme(
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 40, in icloud_login_mobileme
    g = gsa_authenticate(username, password)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 121, in gsa_authenticate
    sms_second_factor(spd["adsid"], spd["GsIdmsToken"])
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 276, in sms_second_factor
    raise Exception(
Exception: 2FA unsuccessful. Maybe wrong code or wrong number. Check your account details.

Weird thing is, that I don't get the 2FA Popup and need to go into settings and copy a code from there. :( I don't really want to create a new Apple ID xD All I want is to log the location of my tags (to see where they went -> for my bicycles)

[JJTech0130]

You guys are all having issues with 2FA? Have you tried using --trusteddevice with biemster's script? GSA won't accept 2FA tokens from a trusted device if it's expecting SMS, and vice-versa. The other thing you could possibly do is, if you have a real mac logged into the account, use the anisette headers from the mac to bypass 2FA.

[JJTech0130]

When lauching macless-haystack I see a strange behavior, maybe this is related :

remote: Enumerating objects: 88, done. remote: Counting objects: 100% (88/88), done. remote: Compressing objects: 100% (47/47), done. remote: Total 75 (delta 37), reused 56 (delta 25), pack-reused 0 Unpacking objects: 100% (75/75), 3.62 MiB | 18.26 MiB/s, done. From dchristl/macless-haystack branch main -> FETCH_HEAD 32ab133..e2ad25c main -> origin/main 2024-03-04 17:46:54,267 - INFO - No auth-token found. 2024-03-04 17:46:54,268 - INFO - Trying to register new device. Apple ID: [email protected] Password: 2024-03-04 17:47:20,772 - INFO - 2FA required, requesting code 2024-03-04 17:47:22,892 - INFO - 2FA required, requesting code Enter 2FA code: 326094 2024-03-04 17:48:02,547 - INFO - 2FA successful 2024-03-04 17:48:04,620 - INFO - 2FA required, requesting code Enter 2FA code:

Here is what is strange :

1. As you can see there are 2 lines saying its requesting 2FA. Maybe this is why even if I enter the 2FA, it's still asking for the 2nd 2FA ?
2. Even if I enter a random 2FA I get at least one line saying 2FA successful

Asking multiple times could also be caused by several things, probably Apple's server returning something odd in response to the SMS that we interpret as success, when success is received in response to 2FA submission we essentially just make the initial login request again, if 2FA was really successful then it doesn't prompt for a second factor the second time.

[dchristl]

Exception: 2FA unsuccessful. Maybe wrong code or wrong number. Check your account details.

Yes, that's an intentional exception, and that's the new error handling I've implemented. Apple doesn't accept your 2FA, so you can't log in. The error description now also states that you mistyped or your data with Apple is incorrect.

Weird thing is, that I don't get the 2FA Popup and need to go into settings and copy a code from there.

What kind of pop-up are you expecting? Where are you copying any 2FA code from? You must receive a text message, only codes from SMS are accepted.Did you get a message?

Asking multiple times could also be caused by several things, probably Apple's server returning something odd in response to the SMS that we interpret as success, when success is received in response to 2FA submission we essentially just make the initial login request again, if 2FA was really successful then it doesn't prompt for a second factor the second time.

That happens doubly whenever the 2FA-code is incorrect; on the next retrieval, it's requested again. There's an error in the original script from biemster, which always outputs "2FA successful". I've added an additional check in the dev branch to immediately abort (see above).